search

louketo / louketo-proxy

A OpenID / Proxy service
Apache License 2.0
950 stars 345 forks source link

Configuration for Traefik ForwardAuth #658

Open JulesTriomphe opened 4 years ago

JulesTriomphe commented 4 years ago

Configuration for Traefik ForwardAuth

Summary

I'm running Keycloak, Louketo, Traefik and a WhoAmI container in docker swarm. After configuring everything, I am able to authenticate with my IdP (Keycloak), but there is a redirection error, so I am unable to access the WhoAmI container.

Environment

Docker version 19.03.12, build 48a66213f docker-compose version 1.24.0, build 0aa59064 Keycloak : quay.io/keycloak/keycloak:latest Louketo : quay.io/louketo/louketo-proxy:1.0.0 Traefik : traefik:v2.2 WhoAmI : containous/whoami:v1.3.0

Expected Results

I expect to be able to access my WhoAmI container.

Actual Results

image (It means the redirection is wrong. I checked, and if it is a cookie problem, it is not coming from the browser.)

Steps to reproduce

Traefik configuration (proxy.yml)

version: '3.7'

configs:
  app_users_proxy_app:
    file: ./users/proxy_app

networks:
  traefik_public:
    external: true

secrets:
  # PROVIDER SECRETS FOR TLS CHALLENGE

services:
  app:
    configs:
      - source: app_users_proxy_app
        target: /users/proxy_app
    deploy:
      mode: global
      resources:
        limits:
          memory: 64M
        reservations:
          memory: 32M
      placement:
        constraints:
          - node.platform.arch == x86_64
      labels:
        # Enable the Dashboard
        - "traefik.enable=true"

        # Dashboard settings
        # Address
        - "traefik.http.routers.proxy_app.rule=Host(`dashboard.example.com`)"
        - "traefik.http.services.proxy_app.loadbalancer.server.port=8080"
        # Route
        - "traefik.http.routers.proxy_app.entryPoints=websecure"
        - "traefik.http.routers.proxy_app.tls.certResolver=leresolver"
        - "traefik.http.routers.proxy_app.service=api@internal"

        # Authentication
        - "traefik.http.routers.proxy_app.middlewares=auth_proxy_app"
        - "traefik.http.middlewares.auth_proxy_app.basicAuth.usersFile=/users/proxy_app"

        # Global redirect to https
        - "traefik.http.routers.catchall_0080.rule=hostregexp(`{host:.+}`)"
        - "traefik.http.routers.catchall_0080.entryPoints=web"
        - "traefik.http.routers.catchall_0080.middlewares=redirect_0443"
        # Middleware redirect to https
        - "traefik.http.middlewares.redirect_0443.redirectscheme.scheme=https"
        - "traefik.http.middlewares.redirect_0443.redirectscheme.permanent=true"
    env_file:
      - ./env_proxy_app.env
    image: "traefik:v2.2"
    networks:
      - traefik_public
    ports:
      # WEB
      ## HTTP
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      ## HTTPS
      - target: 443
        published: 443
        protocol: tcp
        mode: host
    secrets:
      # PROVIDER SECRETS
    volumes:
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./acme.json:/acme.json
      - /var/run/docker.sock:/var/run/docker.sock:ro

WhoAmI configuration (whoami.yml)

version: '3.7'

networks:
  net:
    driver: overlay
    internal: true
    attachable: false
    driver_opts:
      # Required to access the socket from another node
      encrypted: 'false'
    ipam:
      config:
        - subnet: 172.19.1.0/24
  traefik_public:
    external: true

services:
  auth:
    command:
      - "--config=/etc/auth_conf.yml"
    deploy:
      labels:
        # Enable the app
        - "traefik.enable=true"

        # App settings
        # Address
        - "traefik.http.routers.whoami_auth.rule=Host(`auth.whoami.example.com`)"
        - "traefik.http.services.whoami_auth.loadbalancer.server.port=3000"
        # Route
        - "traefik.http.routers.whoami_auth.entryPoints=websecure"
        - "traefik.http.routers.whoami_auth.tls.certResolver=leresolver"
    image: quay.io/louketo/louketo-proxy:1.0.0
    networks:
      - net
      - traefik_public
    volumes:
      - ./auth_conf.yml:/etc/auth_conf.yml

  app:
    deploy:
      labels:
        # Enable the app
        - "traefik.enable=true"

        # App settings
        # Address
        - "traefik.http.routers.whoami_app.rule=Host(`whoami.example.com`)"
        - "traefik.http.services.whoami_app.loadbalancer.server.port=80"
        # Route
        - "traefik.http.routers.whoami_app.entryPoints=websecure"
        - "traefik.http.routers.whoami_app.tls.certResolver=leresolver"

        # Authentication
        - "traefik.http.routers.whoami_app.middlewares=auth_whoami_app"
        - "traefik.http.middlewares.auth_whoami_app.forwardauth.address=http://auth.whoami.example.com"
        - "traefik.http.middlewares.auth_whoami_app.forwardauth.trustForwardHeader=true"
    image: containous/whoami:v1.3.0
    networks:
      - net
      - traefik_public
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro

Proxy configuration (auth_conf.yml)

# is the URL for retrieve the OpenID configuration
discovery-url: https://login.example.com/auth/realms/MYREALM/.well-known/openid-configuration
# the client id for the 'client' application
client-id: WhoAmI
# the secret associated to the 'client' application
client-secret: <CLIENT SECRET>
# the interface definition you wish the proxy to listen, all interfaces is specified as ':<port>', unix sockets as unix://<REL_PATH>|</ABS PATH>
listen: :3000
# whether to enable refresh tokens
enable-refresh-tokens: true
# log all incoming requests
enable-logging: true
# the redirection URL, essentially the site URL, note: /oauth/callback is added at the end
redirection-url: https://whoami.example.com
# the encryption key used to encode the session state
# cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1
encryption-key: <32 character encryption key>
# the upstream endpoint which we should proxy request
upstream-url: https://whoami.example.com
# Returns HTTP 401 when no authentication is present, used with forward proxies.
no-redirects: false
# a collection of resource i.e. URLs that you wish to protect
resources:
- uri: /*
  # the methods on this URL that should be protected, if missing, we assuming all
  # a list of roles the user must have in order to access URLs under the above
  # If all you want is authentication ONLY, simply remove the roles array - the user must be authenticated but
  # no roles are required
  roles:
  - whoami-user
  require-any-role: true

Additional Information

I have tried using the internal names of the auth and app containers for the WhoAmI stack as the upstream and redirection URLs, without success.

jangaraj commented 4 years ago

Could you provide english error message (e. g. use browser with english language) and request flow from the browser network console (blind guess: there is many redirects between app and idp).

JulesTriomphe commented 4 years ago

There are indeed many redirects between the app and the IdP. HAR file is attached : auth.whoami.example.com.txt Here is the error message from Chrome (in English) : image

Thanks a lot for your help !

sub6as commented 4 years ago

does it work in Firefox?

I've noticed the same behaviour in Chrome but it works in Firefox

Chrome is blocking set cookie as the cookie is marked as secure but sent via http

JulesTriomphe commented 4 years ago

It does not work in Firefox either (cf. the first screenshot). The error message says the request is not redirected correctly. It suggests that the problem is a cookie problem.

lyndon160 commented 4 years ago

Does louketo-proxy support forward auth? There are other merge requests claiming to add support for it which have not been merged.

lyndon160 commented 4 years ago

Related issues and pull requests: https://github.com/louketo/louketo-proxy/issues/399 https://github.com/louketo/louketo-proxy/pull/501 https://github.com/louketo/louketo-proxy/pull/505